Re: Third Party Audit of a Firewall

[C Matthew Curtin <cmcurtin () interhack net>]

> > > > > "Chad" == Chad Schieken <cschieke () advsys com> writes:

Matt> I'm not sure I'd show this documentation to the auditors.

Chad> I disagree with that stance. It seems to only test the skill of
Chad> auditor, not the strength of the firewall.

The real point of not showing the documentation to the auditors would
be to test the quality of the documentation.  The documentation is
what someone will point to in order to find out what the state of the
system is, what risks are, etc.  If the documentation is out of sync
with the way things are, it's useless, or maybe worse.

The auditors, of course, will determine the real state of things.

My approach is hardly a magic cure-all for auditing, but it seems to
provide two useful services in one job: determination of the
documentation's quality (and/or how well the written policy has been
implemented), as well as weaknesses that might have been overlooked in 
the original design and/or implementation.

-- 
Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/